Hi, this is suggestion from Stefan Fritsch how to improve the security of the script even without "sed -z".
Cheers, -- Ondřej Surý <[email protected]> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server ----- Original message ----- From: Stefan Fritsch <[email protected]> To: Ondřej Surý <[email protected]> Cc: Debian Security Team <[email protected]> Subject: Re: Fixed php5 package for CVE-2014-3710 Date: Wed, 19 Nov 2014 12:00:55 +0100 (CET) On Wed, 19 Nov 2014, Ondřej Surý wrote: > -[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne > "s/^n//p" | xargs -0i echo touch -c -h "'{}'" > +[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" | awk -- '{ if > (NR > 1) { print $9; } }' | xargs -i touch -c {} What is the echo in there for? That seems wrong. Also escaping arguments with ' ' is insecure, filenames may contain single quotes, too. Much better to let xargs do the splitting of the args. You can use perl to replace the sed -z, though: [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | perl -0 -n -e 's/^n// and print'|xargs -0 -r touch -c -h xargs -r: If the standard input does not contain any nonblanks, do not run the command. xargs -i is not neessary because the args are at the end of the command. Cheers, Stefan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
